Liliana Pasquale

Fuzzy Goals for Requirements-Driven Adaptation

Self-adaptation is imposing as a key characteristic of many modern software systems to tackle their complexity and cope with the many environments in which they can operate. Self-adaptation is a requirement per-se, but it also impacts the other (conventional) requirements of the system; all these new and old requirements must be elicited and represented in a coherent and homogenous way. This paper presents FLAGS, an innovative goal model that generalizes the KAOS model, adds adaptive goals to embed adaptation countermeasures, and fosters self-adaptation by considering requirements as live, runtime entities. FLAGS also distinguishes between crisp goals, whose satisfaction is boolean, and fuzzy goals, whose satisfaction is represented through fuzzy constraints. Adaptation countermeasures are triggered by violated goals and the goal model is modified accordingly to maintain a coherent view of the system and enforce adaptation directives on the running system. The main elements of the approach are demonstrated through an example application.

Service-Oriented Dynamic Software Product Lines

An operational example of controls in a smart home demonstrates the potential of a solution that combines the Common Variability Language and a dynamic extension of the Business Process Execution Language to address the need to manage software system variability at runtime.

Live goals for adaptive service compositions

Service compositions represent an important family of self-adaptive systems. Though many approaches for monitoring and adapting service compositions have already been proposed, a clear connection with the motivations for using such techniques is still missing. To this aim we address self-adaptation from requirements elicitation down to execution. In this paper, we propose to enrich existing goal models with adaptive goals, responsible for the actual evolution/adaptation of the goal model at runtime. We also translate the goal model with both conventional and adaptive goals, into the actual functionality provided by the system and the adaptation policies needed to make it self-adapt.

Requirements-driven adaptive security: Protecting variable assets at runtime

Security is primarily concerned with protecting assets from harm. Identifying and evaluating assets are therefore key activities in any security engineering process - from modeling threats and attacks, discovering existing vulnerabilities, to selecting appropriate countermeasures. However, despite their crucial role, assets are often neglected during the development of secure software systems. Indeed, many systems are designed with fixed security boundaries and assumptions, without the possibility to adapt when assets change unexpectedly, new threats arise, or undiscovered vulnerabilities are revealed. To handle such changes, systems must be capable of dynamically enabling different security countermeasures. This paper promotes assets as first-class entities in engineering secure software systems. An asset model is related to requirements, expressed through a goal model, and the objectives of an attacker, expressed through a threat model. These models are then used as input to build a causal network to analyze system security in different situations, and to enable, when necessary, a set of countermeasures to mitigate security threats. The causal network is conceived as a runtime entity that tracks relevant changes that may arise at runtime, and enables a new set of countermeasures. We illustrate and evaluate our proposed approach by applying it to a substantive example concerned with security of mobile phones.

Adaptive Goals for Self-Adaptive Service Compositions

Service compositions need to continuously self- adapt to cope with unexpected failures. In this context adaptation becomes a fundamental requirement that must be elicited along with the other functional and non functional requirements. Beside modelling, effective adaptation also demands means to trigger it at runtime as soon as the actual behavior of the composition deviates from stated requirements. This paper extends traditional goal models with adaptive goals to support continuous adaptation. Goals become live, runtime entities whose satisfaction level is dynamically updated. Furthermore, boundary infringement triggers adaptation capabilities. The paper also provides a methodology to trace goals onto the underlying composition, assess goals satisfaction at runtime, and activate adaptation consequently. All the key elements are demonstrated on the definition of the process to control an advanced washing machine.

A Generic Platform for Conducting SLA Negotiations

In service-oriented systems, negotiating service level agreements (SLAs) occupies a central role in the service usage cycle. It is during negotiations that parties are brought together in an interactive mechanism determined by the negotiation protocols. The choice and description of negotiation protocol determines the scope of information flow which in turn influences convergence upon an agreement. In this chapter, we observe the state of the art on negotiations and introduce the generic negotiation platform developed for the SLA@SOI framework. We strive for a generic approach for protocol description and execution that also caters for domain-based rationality and ease of adoption.

Towards a unified framework for the monitoring and recovery of BPEL processes

Web services have proven to be a viable solution for interoperability issues. Since end users do not buy services, but only interact with them remotely, such complex systems end up having a distributed ownership, meaning different parts of a system can evolve independently. This has brought researchers to concentrate on run-time management issues such as dynamic monitoring and self-recovery. However, we advocate that no silver bullet has been found. All the major approaches have advantages and disadvantages. In this paper we propose a unified framework for monitoring and recovery that provides a clear separation between data collection and analysis, a common management infrastructure, and a common recovery system. Separating monitoring from recovery allows the framework to integrate different monitoring approaches seamlessly through a plug-in approach. The common management infrastructure allows us to dynamically manage the multiple monitoring approaches being used, while the common recovery approach allows us to activate advanced recovery techniques both on process instances and process definitions.

Topology aware adaptive security

Adaptive security systems aim to protect valuable assets in the face of changes in their operational environment. They do so by monitoring and analysing this environment, and deploying security functions that satisfy some protection (security, privacy, or forensic) requirements. In this paper, we suggest that a key characteristic for engineering adaptive security is the topology of the operational environment, which represents a physical and/or a digital space - including its structural relationships, such as containment, proximity, and reachability. For adaptive security, topology expresses a rich representation of context that can provide a system with both structural and semantic awareness of important contextual characteristics. These include the location of assets being protected or the proximity of potentially threatening agents that might harm them. Security-related actions, such as the physical movement of an actor from a room to another in a building, may be viewed as topological changes. The detection of a possible undesired topological change (such as an actor possessing a safe’s key entering the room where the safe is located) may lead to the decision to deploy a particular security control to protect the relevant asset. This position paper advocates topology awareness for more effective engineering of adaptive security. By monitoring changes in topology at runtime one can identify new or changing threats and attacks, and deploy adequate security controls accordingly. The paper elaborates on the notion of topology and provides a vision and research agenda on its role for systematically engineering adaptive security systems.

Engineering topology aware adaptive security: Preventing requirements violations at runtime

Adaptive security systems aim to protect critical assets in the face of changes in their operational environment. We have argued that incorporating an explicit representation of the environments topology enables reasoning on the location of assets being protected and the proximity of potentially harmful agents. This paper proposes to engineer topology aware adaptive security systems by identifying violations of security requirements that may be caused by topological changes, and selecting a set of security controls that prevent such violations. Our approach focuses on physical topologies; it maintains at runtime a live representation of the topology which is updated when assets or agents move, or when the structure of the physical space is altered. When the topology changes, we look ahead at a subset of the future system states. These states are reachable when the agents move within the physical space. If security requirements can be violated in future system states, a configuration of security controls is proactively applied to prevent the system from reaching those states. Thus, the system continuously adapts to topological stimuli, while maintaining requirements satisfaction. Security requirements are formally expressed using a propositional temporal logic, encoding spatial properties in Computation Tree Logic (CTL). The Ambient Calculus is used to represent the topology of the operational environment - including location of assets and agents - as well as to identify future system states that are reachable from the current one. The approach is demonstrated and evaluated using a substantive example concerned with physical access control.

User-centric adaptation of multi-tenant services: preference-based analysis for service reconfiguration

Multi-tenancy is a key pillar of cloud services. It allows different tenants to share computing resources transparently and, at the same time, guarantees substantial cost savings for the providers. However, from a user perspective, one of the major drawbacks of multi-tenancy is lack of configurability. Depending on the isolation degree, the same service instance and even the same service configuration may be shared among multiple tenants (i.e. shared multi-tenant service). Moreover tenants usually have different - and in most of the cases - conflicting configuration preferences. To overcome this limitation, this paper introduces a novel approach to support user-centric adaptation in shared multi-tenant services. The adaptation objective aims to maximise tenants’ satisfaction, even when tenants and their preferences change during the service life-time. This paper describes how to engineer the activities of the MAPE loop to support user-centric adaptation, and focuses on the analysis of tenants’ preferences. In particular, we use a game theoretic analysis to identify a service configuration that maximises tenants’ preferences satisfaction. We illustrate and motivate our approach by utilising a multi-tenant desktop scenario. Obtained experimental results demonstrate the feasibility of the proposed analysis.